Appearently they are going through FORWARD - with the source IP of the backend - instead of the sourceIP of the VIP - that the client actually accessed.
Also - for some reason there's no state - so I had to allow ALL packages with source-port of 80 or 443 in the FORWARD chain. Not exactly great for a secure setup :( Graeme Fowler said the following on 08/13/2012 01:46 PM: > On Mon, 2012-08-13 at 13:20 +0200, Klavs Klavsen wrote: >> Chain FORWARD (policy DROP) >> target prot opt source destination >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW >> tcp dpt:80 >> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW >> tcp dpt:443 >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state >> RELATED,ESTABLISHED >> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with >> icmp-host-prohibited > I'm not 100% sure, but it looks like this is your problem. Remove those > rules and see what happens. > > * I say "not sure" because I'm not sure whether the incoming packets > will traverse the FORWARD chain or be hoiked past it by ipvs. > > Graeme > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
